Efficient Codes for Limited View Adversarial 

Channels 



Reihaneh Safavi-Naini, Pengwei Wang 
Department of Computer Science 
University of Calgary 
Calgary, Canada 
Email: [rei, pengwwan]@ucalgary.ca 



o 

(N 



(N 



c/3 



> 
in 
m 

cn 
o 



X 



Abstract — We introduce randomized Limited View (LV) ad- 
versary codes that provide protection against an adversary that 
uses their partial view of the communication to construct an 
adversarial error vector to be added to the channel. For a 
codeword of length TV, the adversary selects a subset of p r N of the 
codeword components to "see", and then "adds" an adversarial 
error vector of weight p w N to the codeword. Performance of 
the code is measured by the probability of the decoder failure 
in recovering the sent message. An (N, q HN , S) -limited view 
adversary code ensures that the success chance of the adversary 
in making decoder fail, is bounded by 5 when the information 
rate of the code is at least R. Our main motivation to study these 
codes is providing protection for wireless communication at the 
physical layer of networks. 

We formalize the definition of adversarial error and decoder 
failure, construct a code with efficient encoding and decoding that 
allows the adversary to, depending on the code rate, read up to 
half of the sent codeword and add error on the same coordinates. 
The code is non-linear, has an efficient decoding algorithm, and 
is constructed using a message authentication code (MAC) and a 
Folded Reed-Solomon (FRS) code. The decoding algorithm uses an 
innovative approach that combines the list decoding algorithm of 
the FRS codes and the MAC verification algorithm to eliminate the 
exponential size of the list output from the decoding algorithm. We 
discuss application of our results to Reliable Message Transmission 
problem, and open problems for future work. 

I. Introduction 

Shannon lfl8l formalized the study of reliable communi- 
cation over noisy channels where transmitted symbols are 
changed according to a known fixed probability distribution. 
In adversarial channels corruption of transmitted symbols is 
adversarial: the adversary can corrupt any subset of the symbols 
as long as the size of the set is bounded and is a constant 
fraction of the transmitted sequence. Much less is known about 
adversarial channels. For example, although it is well known 
that the information capacity of a binary symmetric channel 
with crossover probability p is 1 — H(p), the answer to the same 
question in the case of binary adversarial channels where the 
adversary corrupts a p fraction of bits in unknown, although it is 
known that it is much less than 1 — H (p). Adversarial channels 
have received much attention in recent years Il8l IflZl lfl"3l as 
they provide a powerful method of modelling communication 
channels where the channel behaviour is not known or varies 
over time. 

In adversarial channels, one commonly assumes that the sent 



codeword is known, or even chosen (for example in randomized 
codes) by the adversary and that the adversary is allowed to 
corrupt a fraction of the sent symbols. For unique decoding the 
number of errors must be less than half the minimum distance 
of the code, and for higher fraction of errors, one needs to make 
extra assumptions such as a secret key shared by the sender and 
receiver in private codes fl2l , or bound on the computation of 
the adversary lfl4l . 

In this paper we consider an adversary with unlimited 
computation but assume that the adversary has a limited view of 
the transmitted codeword. That is we assume the adversary can 
see only a fraction of the sent codeword and can add errors to 
a fraction, possibly different, of the codeword. In other words 
the adversarial capability is specified by a pair of parameters 
(Pr, Pw), meaning that the adversary can read p r N components 
of their choice, and corrupt p w N components of their choice. 
We do not assume any shared secret key. 

A. Motivations 

One of the motivations of our work is to model an on- 
line adversary in a wireless communication system, where 
the adversary can partially observe the communicated symbols 
before tampering with them ||l5l . 

We assume the encoded message is a g-ary vector and that 
the adversary can choose the positions that he would like to 
"see" (the remaining positions are not visible to the adversary) 
and then designs the tampering vector (noise) that is "added" to 
the encoded message. Our definition of limited view adversary 
codes aims to guarantee reliable authentic communication at 
the physical layer of communication channels and this means 
that the decoder will never output an incorrect (un-authentic) 
message, and with a very small probability fails to output 
the correct message. A somewhat similar scenario is has been 
considered in Algebraic Manipulation Detection Codes (AMD) 
J3) where the encoded message is stored in a secure storage and 
the adversary can only "add" errors to the codeword. In AMD 
codes the adversary cannot "see" the stored codeword and the 
aim of the code is to detect tampering with the message. We 
allow some partial information to be "leaked" to the adversary 
and the goal of the coding is to correctly recover the message. 
Note that because the code is randomized, recovering the 
message does not imply that the added noise can be found. 



A second motivation for our model is to study 1 -round 
S-Reliable Message Transmission (RMT) Q as a code and 
so establish the relationship between two seemingly different 
areas of communication over networks, and communication 
over noisy channels. Such relationship can enrich the tools 
and techniques developed in each area and result in better 
understanding and constructions in the two cases. In RMT 
scenario a sender is connected to a receiver through a set of 
TV node disjoint communication paths, a subset of which is 
controlled by an adversary who can see what is sent on a 
controlled path and can replace it with a value of their choosing. 
Communication paths in RMT scenario are assumed end to end 
and unlike network coding Q], nodes in the network do not take 
part in the communication protocol. In RMT the information 
processing is by the legitimate users (encoding and decoding) 
and happens at the ends of a path. The adversary interacts with 
the system by reading a subset of paths and changing the value 
sent over another subset of paths. When the two subsets are 
the same, the modification can be represented as adding an 
error vector. 5-RMT protocols in general are multi-round and 
guarantee that message is correctly received with a probability 
at least 1 — 5. The bulk of research on 5-RMT protocol assumes 
the adversary reads and modifies the same subset of paths. 

B. Our work 

We define and formalize randomized (stochastic) limited 
view adversary codes, with security against an adversary who 
can choose a fraction of positions of codeword to read and then 
add errors. For codewords of length TV, a (p r ,p w ) adversary 
selects a subset of p r N components to see, and then adds 
(component- wise addition over F q ) an error vector of weight 
p w N to the codeword. The decoder outputs either the correct 
message or a symbol _L, that shows the decoder failure. Perfor- 
mance of a code is measured by the probability of the decoder 
outputting _L; this is the success probability of the adversary 
in making the decoder fail. An (TV, M, <5)-LV adversary code 
guarantees that the message can be correctly recovered against 
a {PriPw) adversary, and the success chance of the adversary 
in making the decoder to fail is upper-bounded by 8. The 
information rate of a code of length TV with M codewords is 
— . A good code will have high information rate for high 
values of p r and p w . 

We construct an (TV, M, <5)-LV adversary code that is non- 
linear, and uses two building blocks: a message authentication 
code and a Folded Reed-Solomon (FRS) code. To encode a 
message m, the sender first chooses TV appropriately con- 
structed secret keys, uses the keys to construct TV authen- 
tication tags for the message using the chosen MAC (See 
MAC Construction II for details), and appends the tags to 
the message. The tagged message is then encoded using an 
FRS code. The i th component of the final codeword which is 
sent to the receiver consists of the corresponding component 
of the FRS code and the MAC key. The decoder recovers the 
correct message in a conceptually two step process: using the 
list decoding algorithm of the FRS code to construct a list of 
possible codewords and then applying the MAC verification 



algorithm to output either the correct message, or _L. This 
two step algorithm however can result in an exponential cost 
decoding because the output list of the FRS decoding algorithm 
can be of exponential size. A previous application of the general 
approach of using MACs and FRS codes for the construction 
of 1-round RMT lfl6l has this shortcoming. The innovation in 
this paper is to combine the system of linear equations resulting 
from the algebraic list decoding algorithm [9] of FRS codes, 
with a set of linear equations resulting from the verification 
algorithm of a specially constructed MAC, to have a single 
system of linear equation whose solution gives the correct 
message with a high probability. The MAC in this construction 
must be a key efficient MAC that can be used for different 
length messages and have appropriate verification algorithm 
suitable for efficient decoding. MAC Construction II satisfies 
these properties and could be of independent interest. The final 
decoder complexity is polynomial. 

The code allows the adversary to, depending on the code 
rate, read up to half of the codeword and adds error on the 
same number of coordinates. 

RMT Construction: One of the motivations for defining LV 
adversary codes is to cast the 1-round (5-RMT construction as a 
coding problem. Our construction of LV adversary code can be 
immediately used to give an optimal 1-round 5-RMT construc- 
tion (See Section lTl-Bl for definitions.) whose parameters match 
the best known RMT constructions |[T6l . It is interesting to note 
that the LV adversary code parameters provide a more refined 
set of parameters for the evaluation of RMT. In particular, a 
1-round (5-RMT is optimal if transmission rate is O(l). Noting 
that transmission rate in RMT is the inverse of the information 
rate (See Section lH-BI ) in LV adversary codes, any LV adversary 
code with non-zero information rate immediately results in 
an optimal 1-round <5-RMT. For LV adversary codes however 
the rate of information communication is a key efficiency 
parameter and the goal is to maximize this rate (with other 
parameters fixed). LV adversary code view of 1-round 5- 
RMT allows comparison of optimal systems in terms of their 
information rate. In addition to providing efficient decoding, 
the LV adversary code construction in this paper allows the 
parameters of the 1-round <5-RMT code to be chosen such that 
the protocol achieves maximum information rate. 

LV adversarial channels and codes open many new open 
questions. Finding general bounds and relationship among 
the information rate R, observation and corruption ratios, p r 
and p w respectively, and finding the highest information rate 
(capacity) of LV adversary codes remain important research 
questions. Also construction of good codes by refining our 
approach here (combining message authentications codes and 
list decodable codes), or using new approaches, are interesting 
open problems. 

C. Related work 

In a previous submission ifTTl we introduced deterministic 
LV adversary codes and gave a deterministic construction of 
such codes. Deterministic encoding enforces restrictions on 



p r and p w , that can be overcome by the randomized codes. 
The definition of decoder error in this paper follows the same 
approach as deterministic codes, but is in terms of probabilities 
instead of the combinatorics of the code. This is needed because 
of the randomize nature of the code removes restrictions that 
are dictated by the deterministic (one message, one codeword) 
nature of the code. In the same submission we also showed 
how to adapt a 1 -round RMT protocol in lfl6l to construct 
a randomized construction for limited view codes. Decoding 
complexity of this construction was exponential and no security 
model and proof was provided for the code. 

Protection against message manipulation was first considered 
in (2) and later formalized as message authentication codes 
in |fl9l . As noted earlier message authentication codes require 
shared secret key and provide protection against a powerful 
adversary who can completely replace a sent coded message 
with another one. The security guarantee for these codes is 
detection of manipulation. 

Adversarial tampering by an adversary that does not "see" 
the encoded message, has been considered in J3]. AMD codes 
do not need a secret key but tampering is only by adding an 
adversarial noise. LV adversary codes do not require shared 
secret and aim at recovering the message. They limit manipu- 
lation to adding the nose but allow adversary to partially see 
the codeword before designing their adversarial noise vector. 

Adversarial channels have been widely studied in the liter- 
ature 01, ifTTl . Our model of adversarial channel has similar- 
ity with the model in lfT3l where binary oblivious channels 
are introduced. In oblivious channels the adversary sees the 
codeword, and depending on the level of obliviousness, can 
use one of the limited number of distributions on the error 
vectors that are available to them. A 7-oblivious adversary 
can emply at most 2 1 ~ 7 error distributions for corrupting the 
codewords. In these codes each codeword is associated with 
one error distributions. By limiting the adversary's reading 
capability, our limited view adversary also effectively limits 
the number of distributions that the adversary can use. However 
each codeword can have more than one error distributions. 

Organization. 

In Section 2, we give the background for Folded Reed- 
Solomon code, 1 -round <5-RMT codes and message authentica- 
tion codes. In Section 3, we introduce the randomized limited 
view adversary code and give new constructions for MAC. In 
Section 4, we present an efficient construction for randomized 
limited view adversary code. Section 5 discusses our results, 
open problems and future works. 

II. Background 

We give an overview of the main building blocks and 
definitions required in this paper. 

A. Folded Reed-Solomon code 

Error correcting codes are used for reliable data transmission 
over noisy channels. Let the message space be a set Ai with 
probability distribution Pr(ra). 



Definition 1: An [N,q RN ] error correcting code C with 
information rate R, is a set of q RN code vectors C = 
{ci, ■ ■ ■ , c q RN} where Cj £ F**, The code has two algorithms: 
an encoding and a decoding algorithm. The encoding algorithm 
Enc : M. — > C maps a message from M. to a codeword in 
C that is sent over the channel. The decoding algorithm Dec : 
F q — > .M U {_!_} is a deterministic algorithm that takes any 
vector in F q and outputs a message in M. or fails, outputting 
a symbol JL. A decoder error occurs if Dec(Enc(m, r)) 7^ to. 

The Hamming weight of a vector e £ F^ is denoted by 
wt(e) and is the number of non-zero components of e. For a 
vector y £ F^ and an integer r, let B(y, r) be the Hamming 
ball of radius r centred at y. Let p denote the fraction of errors 
(the number of errors divided by the length of the codeword) 
that can be corrected by the decoder. 

Definition 2: A Bounded Distance Decoding (BDD) algo- 
rithm Dec(y) takes a received word y = (yi, • • ■ ,un) an d 
outputs to £ Ai if to is the unique message of the codeword(s) 
that are at distance at most wt(e) from y. The decoder outputs 
_L otherwise. 

For deterministic codes, the above definition implies that 
the decoder outputs m, if Enc(m) is the only codeword in 
B(y,wt(e)). In randomized codes however, B(y,wt(e)) may 
contain more than one encoding of to. 

Using bounded distance decoding, the receiver 1Z outputs 
either a message to or the fail symbol _L, that is Dec(y) £ 
{M,±}. 

The above decoding is a unique decoding algorithm and 
requires that the output is a single message, or the fail symbol. 
For this decoding, correct decoding can be guaranteed if p is 
less than half of the minimum distance of the code, that is 
p < ^ R -- Reed-Solomon code has an efficient unique decoding 
algorithm that can correct at most a fraction p = errors. 

Definition 3: An (N, k) Reed-Solomon code with block 
length A^(< q) and dimension k over field F q , is a linear code 
with encoding and decoding described below. A message block 
of length k defines a polynomial f(x) of degree at most k — 1 
over F q . The codeword corresponding to this message block is 
the vector obtained by the evaluation of this polynomial at N 
distinct values ct\, ■ ■ ■ , ajy, where cti £ F q ,i = 1 • • • N. That 
is the codeword is (/(o<i), • • • , f(ajy))- 

For higher error ratios, one can use list decoding J6) where 
the decoder outputs a list of possible codewords (messages). 

Definition 4: Let (N, q RN ) code to be a code with length N 
and information rate R. A code C is (p, L)-list decodable if the 
number of codewords within distance pN of any received word 
is at most L. That is for every word y £ q N , there are at most L 
codewords at distance pN or less from y. List decodable codes 
can potentially correct up to 1 — R fraction of errors. This is 
twice that of unique decoding and is called the list decoding 
capacity of the code. 

Construction of good codes with efficient list decoding 
algorithms is an important research question. An explicit con- 
struction of list decodable code that achieves the list decoding 
capacity p = l — R — e is given by Guruswami et al. J9J- The 



code is called Folded Reed-Solomon codes (FRS codes) and has 
polynomial time encoding and decoding algorithms. 

Definition 5: A ui-folded Reed-Solomon code is a code 
with block length N = nju\ over F™ 1 with \F q \ > n. We 
represent the message by a polynomial f(x) of degree at most 
k over F q , The FRS codeword is over F" 1 and each of its com- 
ponent is aui-tuple (/(7 Jtll ),/(7 Jtll+ )>•■■ J{l jui+Ul ~ r )), 
for < j < N, where 7 is a generator of F* . In other words 
a codeword of a u\ -folded Reed Solomon code of length N 
is in one-to-one correspondence with a codeword c of a Reed 
Solomon code of length U\N, and is obtained by grouping 
together inconsecutive components of c. 



/(I) 
/(7) 



/(7 U1 ) 
/(7 U1+1 ) 



/( 7 ui-l) /( 7 2«i-l) 



/( 7 "i(W-l)) ' 
/( 7 «i(JV-l)+l) 

/( 7 «ijv-i) 



(1) 



We denote the encoding algorithm of FRS code by Eucfrs- 
Ui is called the folding parameter of the FRS code. 

There are a number of efficient list decoding algorithms for 
FRS codes. We will use the linear algebraic FRS decoding 
algorithm J9). The algorithm reduces the list decoding problem 
of the code to solving a set of linear equations. This algorithm, 
although not the best in terms of the number of corrected 
errors, but asymptotically achieves the list decoding capacity. 
The structure of the decoding algorithm of the FRS code 
makes it possible to combine it with the new MAC verification 
algorithm, to obtain an efficient decoding algorithm for the 
LV adversary code. The following Theorem gives the decoding 
capability of linear algebraic FRS code. 

Lemma 1: |9] For the Folded Reed-Solomon code of block 
length N and rate R = —^7, the following holds for all 
integers 1 < v < u\. Given a received word y <S (F^ 1 ) , in 
0((Nui logq) 2 ) time, one can find a basis for a subspace of 
dimension at most v — 1 that contains all message polynomials 
/ £ Fj[^] of degree less than k whose FRS encoding agree 
with y in at least a fraction, 

1 v u\R 



N - pN > N(- 



1 



1 U\ — v + 1' 



of N codeword positions. The algorithm outputs a list of size 
at most q 1 '^ 1 . 

The decoding algorithm of FRS code is in appendix [A] 

B. Reliable Message Transmission 

In a 1 -round <5-RMT problem, the sender S and the receiver 
1Z are connected by N node disjoint paths. The goal is to enable 
S to send a message m, drawn from message space Ai to 1Z 
such that 7Z receives the message reliably. The adversary A 
has unlimited computational power and in threshold RMT, can 
corrupt any subset of at most t out of the N paths which is 
unknown to S and 1Z: the adversary can eavesdrop, block or 
modify communication that is sent over the corrupted wires. iS 
uses the encoding algorithm of the RMT protocol to encode 
the message m into transcript that is sent to 1Z. The transcript 



may be corrupted by A and is received by 7Z who uses the 
decoding algorithm of the RMT protocol to output a message 
to, or output _L. 

Definition 6: An RMT protocol between S and 1Z is 1- 
round <5-reliable message transmission (<5-RMT) protocol if 1Z 
correctly receives the message m with probability > 1 — S, and 
outputs _L with probability < 5. The receiver never outputs an 
incorrect message: 

Pr[ft outputs _L] < 8 

The transmission efficiency is measured by the transmission 
rate which is the ratio of the total number of bits transmitted 
from S to TZ to the length of the message in bits. Protocols 
whose transmission rate asymptotically matches the lower 
bounds are called optimal. Optimal 1 -round 5— RMT protocols 
must have transmission rates 0(1). 

Computational efficiency is measured by the computational 
complexity of the encoding and the decoding, as a function of 
N. Efficient scheme needs polynomial (in N) computation of 
both encoding and decoding algorithm. 

C. Message authentication codes 

A message authentication code (MAC) is a cryptographic 
primitive that allows a sender who shares a secret key with 
the receiver to send an information block over a channel 
that is tampered by an adversary, enabling the receiver to 
verify the integrity of the received message. We follow the 
terminology of Ifl9l and refer to the information block as 
source state, and to the authenticated message that is sent 
over the channel as, the message. A message authentication 
code consists of two algorithms (MAC; Ver) that are used 
for tag generation and verification, respectively. The sender of 
a source state x computes an authentication tag, or simply 
a tag, y = MAC(k;x), and forms the message (x, y) to be 
sent over the channel. The receiver accepts the pair (x, y) if 
Ver((x, y), k)) = 1. Security of a 1-time MAC is by requiring, 

Pr[(x' \y'),Ver(k,(x' ,y')) = l\{x, y),y = MAC{k,x)] <e 

III. Model, Definitions and Building Blocks 

We first introduce our model of randomized LV adversarial 
channel, and define the decoding error for randomized LV 
adversary codes. We then describe the construction of a new 
message authentication code with provable security, that is used 
in the construction of the LV adversary code. 

A. Limited view adversary 

An (N, M) randomized LV adversary code C of length 
with M codewords over F q , consist of a probabilistic encoding 
algorithm, Enc : Ai x U — >• C, from a message set A4 
of size M to a code book C. Here U is the randomness 
used in the encoding. The encoding and decoding algorithms 
are Enc(m,r) and Dec(y) E {AiU _L}, respectively. Let 
C m = {c : c = Enc(m, r), Vr <G U}. To guarantee perfect de- 
codability without error, we assume C m n C m =0, to 7^ to'. 

Let [N] = {1, ■ ■ ■ , A^}, and S r = {h, ■■■ , i PrN ] C [N] and 
Sw = {jij" •■ j jp„Af} C [N] be two subsets of positions. 



Definition 7: A (p r ,p w ) limited view adversary, or a 
(pr,Pw) LV adversary for short, has two capabilities: reading 
and writing. For a codeword of length N, these capabilities are: 

• Reading: Adversary reads a subset S r of size p r N, 
of the components of the sent codeword c and learns, 
(Cjj , • • • , Ci prN ). 

• Writing: Adversary adds (component wise and over F q ) to 
the sent codeword, an error vector e with wt(e) = p w N, 
whose non-zero components are on S w . The corrupted 
components of c in S w are, (y n , • • • , y ]pwN ). 

The adversary is adaptive: that is the adversary first chooses 
i\ to see, and based on the seen value a lt chooses 12 and so 
on. That is to choose any member of S r , the adversary uses 
the knowledge of all the components that have been seen till 
then. The adversary then adaptively chooses S w , and the error 
vector e. 

B. Randomized limited view adversary code 

By observing the values {c^,-- - , Cj N }, the adversary 
can determine a subset of possible sent codewords (those 
that match the seen positions). Let C[cj l; -- - , a N ] denote 
the set of codewords that have {c^,-- - , Cj N } in positions 

S r = {h, ■ ■ ■ , ip T N}- 

1 ) Decoding error: Decoder uses bounded distance decod- 
ing with radius p w N: for a received vector y, it considers all 
codewords that are in B(y, p w N) and if it finds encodings of a 
unique message, it outputs that message; Otherwise it outputs 
_L. The error vector e is of weight wh{c) < p w N and is chosen 
by the adversary after reading {a 1 , ■ ■ ■ , Ci prN }. The adversary 
can find the failure probability of the decoder for any error 
vector e, and choose the "best" one; this is the e that results in 
the highest failure probability for the decoder. 

Definition 8: Consider an additive error e with wh{&) = 
p w N. The decoding error 5 e (C[ci 1 , ■ ■ ■ , Cj N ]) for a message 
m and an error e if adversary chooses to read a S r and see 
{cjj, • • ■ , Ci rN } in those positions is 

^(Cfcu,- ■ • ,a PrN }) = Pr[Enc(m,r) £ C\c ix ■ ■ ■ c iprN \ 
A Dec(Enc(m, r) + e) =_L | C[c n ■ ■ ■ c iprN ]] 

The decoding algorithm fails, that is Dec(Enc(m, r) + e) =_L, 
if and only if there exist c! £ C\ C m and c' £ B(c + e, p r N). 
The decoding error for the decoder is, 

8 = max max max 5 e (C[ci 1 , ■ ■ ■ , Cj N ]) 

S r c i± ,--- ,c iprN e 

Definition 9: An (iV, M, 5) randomized LV adversary code 
with protection against (p r ,p w ) adversary, ensures that the 
probability of the decoding failure defined as above, is no more 
than S. 

C. MAC Construction 

In the following we first give Construction I for a MAC, 
and then in Section IIII-C2I give Construction II which is an 
equivalent polynomial representation for it. This latter MAC 
will be used in the construction of the LV adversary code in 



Section IIV-AI Construction I provides an intuitive understand- 
ing of Construction II. 

Both MACs are -4- secure. 

q N 

1) MAC Construction I: The MAC is defined over F q N and 
works for any length message. The source state of the MAC is 
x = (xi, ■ ■ ■ , xi), where I is any integer and I > 0. The MAC 
key is r = (n, • • • ,^,^+1) where d is the smallest integer 
that satisfies ^±§i > I. The message of MAC is (x,tag). The 
tag generation is given by, 

tag =MAC(x, r) = ^ x m r m + 

l<m<d 

x i d+j -iH^l r ir j +r d+1 modq N 

l<i<3<d 
id+j- u '~ 1} <l 

The MAC function consists of three types of terms. For a 
message symbol x m with index m, one of the three types, 
as defined below, is calculated. The final MAC is the sum of 
all the calculated terms. 

1) x m r m , for 1 < m < d; 

2) x m rirj, for d + 1 < m < I where m = id + j — '^r 1 ' , 
and 1 < i < j < d\ 

3) rd+i, which is independent of message symbols. 

For d + 1 < m < I, the algorithm works as follows. 

1. Consider the message symbols rrid+i, rrid+2, • • • mi as a 
sequence; 

2. Construct a key sequence using the product of a pair of 
key symbols and rj as follows: start from the smallest 
i = l. j = 1; increase j by one from i to d; then increase 
i by one and repeat to reach the highest values of the two 
indexes. 

3. Find the product of x m and the element of the key sequence 
constructed above, that corresponds with position m. 

It can be seen that for a given pair i and j, m will satisfy 
m = id + j v 2 ' . 

Lemma 2: The probability that a computationally unlimited 
adversary can forge a message (x.',tag') with x' 7^ x, that 
passes the verification test is no more than -3^. 
We omit the security proof because of space and that it is 
essentially the same as the proof of Construction II. 

2) MAC Construction II: We introduce a MAC that can 
be seen as a different representation of Construction I above, 
that will be used in the construction of efficient randomized 
LV adversary code. The MAC can be described by a set of 
equations over F q . The source state of the MAC is a vector of 
length Nl over F q , 

x = [£1,0, • ■ • ,xi.n-i, • ■ ■ , xi,o, ■ ■ ■ , £;,/v-i] T 

The key for the MAC is a vector of length Nd + 3N - 2 over 
F q where d is the smallest integer satisfies d ( d +^ > ^ 

r = [j"i,o, • • • , n.jv-i^d.o • • • ,rd,N-i, 

lT 

^d+1,0, 7 ^d+l,3JV-3j 



We write the key in the form of an (3iV — 2) x (Nl + 1) matrix: 

R = [Ri I ■ ■ ■ I R-rf I R-d+i I • • ■ I Rz I R+i] 

where R m is a matrix that, depending on the value of the index 
m, can take the following forms. For 1 < m < d, 



R,, 



r m ,o 





r m ,o 



r m ,N-i ?"m,Ar-2 








r m ,o 



r m .N-i 




For d + 1 < m < I, 



R,, 



o 

ri,j,o 



r i,j,N-l 
r i,j,N ?"i,j,JV-l 



r i,j,2N~l Ti^j,2N-2 
n,7,2iV-l 











n,j,o 
n,j,i 

n,N-i 
n,j,N 

ri,j,2N-i 



where m is written as a pair of integers i and j, similar 
to the description of Construction I, and we have r^ j fe = 

E o<a!,a 2 r itai r j>a2 for < fc < - 1. 

Finally, R ;+i = [r d+ i, , ■ • • , r<j+i,3JV-3] ■ 

The fag for a source state is a vector of length 3^ — 2, 

t = [t , ' ' ' , hN-3] T ■ 

A source state x is encoded to the message (x, t) using the 
MAC algorithm, 



The verification algorithm Ver(r, (x',t')) for a key r is by 
calculating MAC(x',r), and comparing it with the received 
t'. 

Lemma 3: The probability that a computationally unlimited 
adversary can forge a message (x', t') with x' ^ x, that passes 
the verification is no more than 

Proof: Appendix FBI ■ 

IV. Construction of LV Adversary Code 

In this section we describe the construction of an LV ad- 
versary code that uses the MAC algorithm in Section IIII-C2I 
together with an FRS code with appropriately chosen parame- 
ters. 

A. (N, q NuR : S) randomized limited view adversary code 

We assume the adversary reads pN positions and adds errors 
to the same positions. Let TV and R denote the code length 
and information rate, respectively. 

The LV adversary code is over F™. The sender S wishes to 
send the message m = (m , ■ • • , tunuR-i) , G F q , to the 
receiver. 

Randomized LV adversary code: 



m= (m ,--- ,m Nu R-i) 



x = (m, 0) 



i ti=MAC(x,Ti) 



(x,ti, • • ■ ,tjv) 



FRSEnc(x, ti • • • tjv) 




*2 


I"3 




rjv 



The LV adversary code is constructed over F™ where 
u = u\ + U2- The FRS code is over F™ 1 and the 
randomness has length U2- We set the parameters of 
MAC Construction II to be I = \uR] and d = \y / 2ui | . 
We have u 2 = Nd + 37V - 2 = N\^fhT 1 \ + 3iV - 2 and 
u = ui + N\y/2u^\ + 3iV - 2. 



MAC(x,r)= x o B -o + x m R m + R l+1 

l<m<d d+l<m<l 



[Ri | ■ ■ • | Rj | R+i] x 



Xl.O 



Xl,N-l 



%l+l,3N-3 
1 



(2) 



Encoding algorithm performed by the sender S 



Step 1: Append vector {0} <G Fq^ 1 uR ' to message 
m = (mo, • • • , mN U R-i), and form the vector 
x = {m, 0} of length Nl. 

Step 2: Generate random keys ri,l < i < N, for the MAC 
Construction II. Each key is written as a (3iV— 2) x (Nl+l) 
matrix, 



Ri = [Ri,i 



R,; ; | R. 



i,d+l\ 



Step 3: Use MAC Construction II to generate tags tj = 
MAC(x,TLi), i = !,-■■ ,N . 

The FRS code is of dimension k = Nl + N(3N - 2). The 
message block for the FRS code is, 



m 



FRS 



= (x,ti • • -tjv) 



Step 4: Use the FRS encoding algorithm to encode m FRS 
to the codeword c FRS = Eucf Rs( m - F RS ) ■ 
The i th component of c, the codeword of the limited view 
adversary code, is obtained by appending the randomness 



Yi to c FRS , the i th component of the FRS code. 



■All 



(4 



FRS 



Decoding algorithm performed by the receiver 1Z 



Step 1: Receive a corrupted word y with the i th 
component yi = (yf RS ,Yi). Here y FRS and f, are the 
i th component of the FRS code and the randomness in 
corrupted form, respectively. 

Step 2: Use the FRS decoding algorithm to decode the 
FRS codeword y FRS and obtain the system of linear 
equations, [6] 

Step 3: Generate N systems of linear equations, each 
system obtained from the set of linear equations generated 
from the FRS decoding algorithm and one MAC key r^. 
The i th system of linear equation is of the form, 



B Bi 
R- 



B; 



Bat 






X 








tl 












a' 


X 


u 















(3) 

The first Nl + N(3N — 2) equations are generated by 
the FRS decoding algorithm of Eq. [6] the first Nl columns 
of the matrix of coefficients of these equations form Bo, 
and for 1 < i < N, columns (Nl + (i - 1)(3JV - 2)) to 
(Nl + i(3N - 2) - 1) of this matrix specify B ? . Finally, 
—a' is the right hand side vector of Eq. [6] The last 3N — 2 
equations are from MAC Construction II using key Yi, 
with R4 = [Rj.i I ' ' ' I an d I is identity matrix. 

Step 4: Solves each of the N systems of linear equations. 
Let Xj denote, the first Nl components of a solution output 
by the i th system of linear equation. The i th system of 
linear equation is considered to have output output Xj, if x. 



is the unique output of this system. Otherwise 1Z marks the 
output of the i th system, as NULL. If there is a unique x 
output by a set of the N — pN systems of linear equations, 
1Z outputs the first NuR components of that x as m. 
Otherwise outputs _L. 



B. Adversary's reading and writing capability 

Theorem 1: The (N,q RN ,6) randomized limited view ad- 
versary code over above, can correctly decode if the 
adversary reads and writes on the same set of size pN of a 
codeword. 



• A 1 

p < mm , 

H ~ V 2 2N' 



uR + 3N 



-) 



v + 1 N 2 + u - N(\J N 2 + 2u + 3) 

Proof: Firstly, p < 1/2: If the adversary can read and 
write on half of the components of a codeword c, they can 
choose any other codeword c' and add appropriate error vector 
to replace components of c on the controlled positions to obtain 
y which is equal to c' on the controlled components, and equal 
to c on the remaining ones. The decoder can not decode y and 
fail. 

Secondly, we find a bound on p when p < i. The code 
dimension for the FRS code is k = NuR, and each component 
is in F'q. Note that only the FRS code, which is over F^ 1 , 
contains the message information. Hence, k = Nu\R\. Let 
Rfrs be the information rate of the FRS code. The decoding 
algorithm of LV adversary code need to satisfy the decoding 
condition of FRS code. According to Lemma [T] the FRS code 
with length TV and information rate Rfrs can decode pN 
adversary errors if satisfying the condition: 



N - pN> N(- 



1 



u\R 



FRS 



1 



) 



+ 1 ui -v + 1 
The equation is satisfied if, 

N _ pN > JL + v (N(niRi + l) + N(3N-2)) 

~ V + 1 V + 1 Mi — V + 1 

The maximum error that the adversary can add is, 

v v (m-Ri + 3N - 1) 



(4) 



v 



1 



V 



1 



Ul — V + 1 



The LV adversary code is over F™ and u = u\ + \^/2u[ | N- 
3iV - 2. So we have, 



> N 2 + u - 3iV + 1 - N^N 2 + 2u - 2(3/V - 1) 



The decoding condition of FRS code is satisfied if the following 
inequality is met: 



<- 



1 



1 



uR + 3 AT - 1 



N 2 + u - 3iV + 2 - N^/N 2 + 2u~ 2(3N - 1) + 1 



This is equivalent to, 

v v 

< 



by the adversary. For a codeword c' = (c , r^,--- ,r^) 



uR + 3N 



+ 1 v + 1 jV 2 + u - N(y/N 2 +2u-3)-v 

■ 

C. Decoding error 

The adversary reads pN components of a corrupted code- 
word and adds errors to the same positions using the knowledge 
of the components that are read. 

Lemma 4: If the adversary does not choose the i th position 
for read and write, the probability that the i th system of linear 
equations (Eqs. [3j does not produce the unique solution which 
contains the correct message m is at most gJV - t ,+i ■ This is 
equivalent to, 



FRS y FRS 



*)<pJV,tJ=Miltf(x' > r i )|C[c il 



< 



,JV— v+l 



Ri 



v+2\ 



(5) 



Using lemma [3] the probability that MAC(x.',ri) = t\ is at 
most ^r. 

Finally, the system of linear equations Eq. |6]generated by the 
decoding algorithm of the FRS code produces a list of at most 

,FRS 



solutions, {i 



I FRS 



,FRS\ 



< 



pN}, where 



FRS 



each codeword represents a message of the form m' 
(x'jt^ ■ ■ ■ t' N ), The first Nl components of each solution gives 
one solution for x'. By union the probability of the solutions 
x' ^ x of Eqs. [6] that are also the solution of Eqs. [5] the Eqs. 
[3] has more than one solution with probability no more than 

q N ■ 

The adversary has no information of r^. After observ- 
ing {cj-L,-- - , Cj n }, the probabilty that there exist {c' FRS : 



.., ,FRS ^ / /FRS-, , /FRS 

with c = LncFRS{ m ) an d m 



(x',t; 



"N) 



.., ,FRS ^ / ,FflSx , ,FRS , i ,/ ,/ \ 

with c = hncFRs{ m ) and m = (x ,t\ ■ ■ ■ t N ) 
and (x' 7^ x). 

Proof: Firstly, because the correct message is always 
contained in the decoded list of the FRS decoding algorithm, 
the correct x = {m, 0} will be in the solution space of the 
system of linear Eq. [3] Also because the key has not been 
modified, the solution will be contained in the solution space 
of the equations generated by the MAC. Hence the solution 
space of the Eqs. [3] must contain the correct message m. = 

Secondly, a solution x', where x' ^ x, of the system of 
linear Eqs. [6] resulting from the FRS decoding algorithm, with 
probability at most will be a solution of the system of linear < 
Eqs. [3] Now assume x' ^ x is a solution of Eqs. [3] This means 
that it must satisfy the equations generated by MAC: 



and x' 7^ x, let If = {i : c! i = yi\ and 7| = {i : 
MAC{*',r> i ) = t' i }. 

According to definition [8] the probability of decoding failure 
for an encoding of a message m that satisfies the observation 

set (c^ • • -Ci pN ) is, 

P r [B(Enc(m, r) + e, pN) fl {C \ C m ) + 0| C[c n • • • c ipN \] 

This is the probability that for a codeword c' € G \ C m , 
there exists two subsets If and /| such that, \I{ \ > N — pN , 
\I°'\=N and IJf' n l{ | > N - pN. The latter two conditions 
imply \I C { H If | > pN + 1 if p < |, which can be written as, 

|{[iV] \/ 3 }n /f' n/f' Hi- 
Note that |Jf | > N-pN implies d H (c' 1 y FRS ) < pN, 
and |{|iV] \ I3} n 1 1 fl 1% I = 1 implies existence of z c such 
that i c £ {If' n 7 2 c '} and i c ' € [N] \ I 3 . 
This means that we have, 

P r [B(Enc(m, r) + e, pN) fl {C \ C m } ^ 0| C[c n • • ■ c lpN ]] 

<Pr[( i c 'e[7V]\/ 3 ),(^e{/ 1 c 'n/ 2 c '}), 

(d H (c' FRS ,y FRS )< P N)\ C[ Cll ---c lpN }} 

<(N - pN) Pr[(z c ' i h), ^' e {It' n J 2 C '}), 

(d H (c'™ S ,y™ s )<piV)| C[c 4l ...c v J] 

=(N - pN) Pr[(i c ' ^ / 3 ), (M4C(x', r<) = tj), 

(d H (c' FRS ,y FRS )<pN)\ C[ Cll ---c lpN }} 
2N 



-.N-v+l 



The last inequality is correct because of lemma |4] 



If we choose v = ^, u = + where e > is a small 
value, the decoding capability p can be approximated is p = 
min (|- jx,l~{~L + N£ 2 )R-Ne i -N 2 e e ), and the decoding 
error will be given by 5 < q'~ N . The field size q can be 
chosen as the smallest prime q > Nu. The encoding algorithm 
is polynomial in N. For decoding algorithm, the computational 
complexity of solving any i th system of linear equation Eqs. 
[3] is 0(((uN + TV 2 ) log q) 2 ) and there are N systems of linear 
equations. So the computational time of decoding algorithm is 
polynomial in 0(N((uN + N 2 ) \ogq) 2 ). 

Corollary 1: Assume the adversary is allowed to read (at 
most) p fraction of a codeword and can write on the same set. 

2 _j_ 2N 

The (TV, q RN , S) randomized LV adversary code over Fq e 
with, 



FRS yFRS 



') < pN} and the message passing MAC p < min 



d H {d 

verification MAC(x.',r.i) = t£ is still equal to ^jv-t.+i . 

■ 

Theorem 2: The decoding error of the (N, q RN , 5) random- 
ized limited view adversary code is at most 6 < q j^,+i ■ 

Proof: Let y = Enc(m, r) + e be the corrupted word, and 
h = S r = S w denote the positions that are read and modified 



2N 



, 1- {1 + Ns 2 )R- Ne 4 



N 



2^6 







can correctly decode the errors and the decoding error 5 
if N — > 00. The computational time is polynomial in N. 

The construction above can be immediately used to construct 
an optimal 1 -round <5-RMT, by using the encoding algorithm of 
the LV adversary code with appropriate length, to construct a 



codeword for the message, and simply send the i th component 
of the codeword on path i in the RMT setting. The decoding 
error in LV adversary codes is equivalent to the strongest 
definition of reliability in RMT scenario where the adversary 
can choose the message, and so S in RMT will be at most equal 
to the decoder failure in LV adversary codes. The optimality 
follows from the constant (non-zero) rate of the LV adversary 
code. 

Corollary 2: The construction of the randomized LV adver- 
sary code give an optimal 1 -round (5-RMT, where S is the same 
as the decoding error in LV adversary codes. 

V. Concluding Remarks 

We introduced randomized limited view adversary codes and 
gave an efficient construction that wiith appropriate choice of 
parameters, can correct close to N/2 errors and will have infor- 
mation rate close to 1/2. Although in general the observation 
and corruption sets can be different, in our construction we 
assumed they are the same. Giving a construction without this 
assumption will be our future work. In our construction the 
field size is a function of N and so small 6 can be obtained 
for large field sizes. Finding good LV adversary codes with fix 
field size, and/or information rate approaching 1 — p — e are 
open problems. 

Randomized codes do not have the restrictions of deter- 
ministic codes on their parameters and can achieve much 
better performance (higher p r and p w for fixed R). Finding 
general bounds and relationship among the information rate 
R, observation p r and corruption p w ratios, and finding the 
information capacity of LV adversary codes remain important 
research questions. 

Our work showed that LV adversary codes provide a more 
refined way of modelling RMT scenarios allowing to cater for 
the information rate of these protocols. Extending definition 
of LV adversary codes to interactive scenarios will be an 
interesting open question. 
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Appendix 

A. Decoding algorithm of FRS code 

Linear algebraic list decoding [9| has two main steps: inter- 
polation and message finding as outlined below. 

. Find a polynomial, Q(X, Y x , ■ ■ ■ , Y v ) = A (X) + 
A\{X)Yi + ••• + A V (X)Y V , over F q such that 
degL4,(A:)) < D, for i = l---v, and deg(A (X)) < 
D + k - 1, satisfying Q(a l ,y ll ,y l2 , ■ ■ ■ ,y iv ) = for 
1 < i < no, where no = — v + l)N. 

• Find all polynomials f(X) G -FlJ-X"] of degree at most k — 
1, with coefficients /o,/i • ■ ■ fk-u that satisfy, Aq{X) + 
A 1 (X)f(X) + A 2 (X)f( 1 X) + --- + A v (X)f( 1 v- 1 X) = 
0, by solving linear equation system. 

The two above requirements are satisfied if / G -Fgt-X"] is a 
polynomial of degree at most k — 1 whose FRS encoding (Eq 
Q]) agrees with the received word y in at least T components: 



T > N( 



1 



ui R 



V + 1 V + I Ul — V + 1 



This means we need to find all polynomials f(X) £ 
of degree at most k — 1, with coefficients /o, /i , • ' ' j fk—u that 
satisfy, 

A (X) + A 1 (X)f{X) + A 2 (X)f( 1 X) + ■■■ + 
A v (X)f(Y- 1 X) = 



dijXi for < i < v. 



Let us denote Ai(X) = 2~2j= 
(dij = when i > 1 and j > D). Define the polynomials 

f B (X) = oi,o + a 2 , X + a 3 , X 2 + ■■■+ a^o^"" 1 



Bk-i(X) — ai,fc-i + a 2 ,k-iX + a^.k-iX 2 
a>v,k-iX v 1 



We examine the condition that the coefficients of X % of the 
polynomial Q(X) = A (X) + A x (X)f(X) + A 2 (X)f( 7 X) + 
■■■+ A 1 ,(X)/( 7 t '- 1 X) = equals 0, for i = • • ■ k - 1. This 



is equivalent to the following system of linear equations for 
fo ■ ■ ■ fk-1- 



£2 (7°) 





Bod 1 ) 
W) So(7 2 ) 



J B fc _ 1 ( 7 °) B fe _ 2 ( 7 1 ) 



B k - 3 (j 2 ) 



Bo{l 





' fo ' 




— a o,o 




fl 




-ao,i 


X 


h 




-ao,2 




Jk-1_ 




—ao,k-i_ 



(6) 



The rank of the matrix of Eqs. [6] is at least k — v + 1 because 
there are at most v — 1 solutions of equation Bo(X) = so 
at most v — 1 of 7' that makes £>o(7 l ) = 0. The dimension of 
solution space is at most v — 1 because the rank of matrix of 
Eqs. |6]is at least k — v + 1. So there are at most q"^ 1 solutions 
to Eqs. [6] and this determines the size of the list which is equal 
to q 1 - 1 . 

B. Proof of lemma \3\ 

Proof: We need to find the following probability: 

Pr[(MAC(x',r) = t')\(MAC{*, r) = t)] 

The MAC function given by Eqs. [2] is equivalent to the 
MAC of the polynomial form in Eq. [7J For < i < 3N - 3, 
the coefficients of X % in both sides of equation [7] form the same 
equation as the i th equation in the system of linear equations 

m 



t{X) = MAC{*,v)= x m {X)r m {X)+ 

l<m<d 

x m (X)ri(X) rj (X) + r d+1 (X) mod q 



E 

d+l<m<l 
m—id-{-j — l ^2 1 ^ 



(7) 



where each polynomial is given below 

x m (X) = x m ,o + ■ ■ ■ + Xm^N-iX 1 ^^ 1 mod q, 1 < i < I 

r m (X) = r m , H h rmj-j" -1 mod q, 1 < m < d 

r m (X) = rij.o H h n, h2 N-2X 2N ~ 2 = 



ri(X)rj(X) mod q, d + 1 < m < I, m = id + j — 



i(i-l) 



rd+i{X) = rd+1,0 H 1- r d+ i, aN _ a X 



3N-3 



mod g 



Finally, t(X) = t H h t 3A r_ 3 X 3Ar - 3 mod g. 

So if we can prove that the adversary's forging capability to 
the MAC in the form of Eq. Q is no more than e, then the the 
adversary's forging capability to MAC construction II (Eqs. [2J 
is also no more than e. 

Next we prove the adversary forging capability to MAC 
in the form of Eq. [7] is no more than Assume the 



adversary forges a message (x',t') with x' 7^ x, that passes 
the verification. We write the MAC in polynomial form. 

t'{X) = MAC{x.',r)= x' m {X)r m {X)+ 

\<m<d 

]T x' m (X)r i (X)r j (X)+r d+1 (X) mod q < 8) 

d+l<m<l 
m—td+j —~ — - 



By subtracting the two equations we will have, 

Ax m (X)r l {X)r 1 (X)+ 



d+l<m<l 
m—id-\-j — ^ 



Y Ax m (X)r m (X) = At(X) mod 



q 



Km<d 



The above equation has at most 2q N ^ d x > solutions for 
(ri(X),--- ,rd(X)). This means that there are at most 
2q N(d-i) keys r that satisfy MAC(x,r) = t, and 

Jl/iC(x',r) = t'. However, there are q Nd possible values for 
r satisfying MAC(x, r) = t. So the success probability of the 
forgery is, 

Pr[(AL4C(x',r) = t')|(MAC(x,r) = t)] 
_2q N ( d -V _ 2_ 

~ n Nd ~ n N 



